RHEL 7 login delay using SSSD (IPA client) related to SELINUX

Latest response

Hello,
I fought with this issue for a long time. When login with IPA accounts, the login process after the password was entered took over a minute.

I looked into the usual suspects:

1) SSH configuration:

[root@lab-365-someserver~]# grep DNS /etc/ssh/sshd_config
UseDNS no

2) Resolver configuration:
* Make sure the DNS servers were accessible and there was no delay in that connection
* Also tried the following option in /etc/resolv.conf:
options single-request-reopen

3) Restart a couple of services. These were apparently the culprit in some other cases where dbus was restarted but the logind service was not (which should also be taken care with a reboot, which was not the case here)

systemctl restart dbus-org.freedesktop.login1.service
systemctl restart systemd-logind.service

These did not make a difference for me. After putting SSSD in debug mode I realized that there was a long pause here:

=> /var/log/sssd/selinux_child.log <==
(Tue Jun 26 15:43:52 2018) [[sssd[selinux_child[12711]]]] [main] (0x0400): context initialized
(Tue Jun 26 15:43:52 2018) [[sssd[selinux_child[12711]]]] [main] (0x0400): performing selinux operations
(Tue Jun 26 15:44:36 2018) [[sssd[selinux_child[12711]]]] [libsemanage] (0x0080): user xxxxx not in password file
(Tue Jun 26 15:44:36 2018) [[sssd[selinux_child[12711]]]] [libsemanage] (0x0080): user xxxx not in password file
(Tue Jun 26 15:44:36 2018) [[sssd[selinux_child[12711]]]] [libsemanage] (0x0080): user xxxx not in password file
(Tue Jun 26 15:44:36 2018) [[sssd[selinux_child[12711]]]] [libsemanage] (0x0080): user xxxx not in password file
(Tue Jun 26 15:44:36 2018) [[sssd[selinux_child[12711]]]] [libsemanage] (0x0080): user xxxxx not in password file
(Tue Jun 26 15:44:36 2018) [[sssd[selinux_child[12711]]]] [libsemanage] (0x0080): user xxxxx not in password file
(Tue Jun 26 15:44:57 2018) [[sssd[selinux_child[12711]]]] [pack_buffer] (0x0400): result [0]
(Tue Jun 26 15:44:57 2018) [[sssd[selinux_child[12711]]]] [main] (0x0400): selinux_child completed successfully

I looked into SSSD and IPA user forums and since my systems do not use SELINUX, I went ahead and added this to the domain section in the sssd configuration:

selinux_provider=none

After this the login process is immediate, as expected.

Just sharing in case someone might benefit from it. It took me quite some time to find this or to see if there is actually a better way to address this.

Responses